Note: Prefix deaggregation is effective for hijacks of IP prefixes less specific than /24, but it might not work for /24 prefixes or more specifics. This can be effectively accomplished by running ARTEMIS as a set of application-level modules, over a network controller that supports BGP, like ONOS. Therefore, ARTEMIS assumes write permissions to the routers of the network, in order to be able to modify their BGP configuration and mitigate the attack. After BGP converges, the hijacking attack is mitigated and traffic flows normally back to the ARTEMIS-protected AS (the one that runs ARTEMIS). ![]() Since in Internet routing the most specific prefix is always preferred, ARTEMIS modifies the BGP configuration of the routers so that they announce deaggregated sub-prefixes of the hijacked prefix (that are most preferred from any AS). ![]() ARTEMIS can be parameterized (e.g., selecting BGP monitors based on location and/or connectivity) to achieve trade-offs between monitoring overhead and detection efficiency/speed.ģ) When a prefix hijacking is detected, ARTEMIS automatically launches its mitigation service. Architecture & functionalityĪRTEMIS consists of three components: a monitoring (1), a detection (2) and a mitigation (3) service as shown in Figure 1:ġ) The monitoring service runs continuously and provides control plane information from the AS itself, the streaming services of RIPE RIS and BGPstream (from RIPE RIS and RouteViews), as well as BGPmon and Periscope, which return almost real-time BGP updates for a given list of prefixes and ASNs.Ģ) The detection service combines the information from these sources the minimum delay of the detection service is the delay for the first suspicious BGP update to arrive (from any source). However, everyone with basic ONOS and mininet skills can follow the demo without this prior knowledge. Prerequisitesīasic knowledge of the BGP protocol and its best path selection algorithm is required in order to fully grasp the concepts behind ARTEMIS. Moreover, it is the name of the Greek goddess Artemis, who according to ancient Greek mythology, is the goddess of hunting. The name of the application (ARTEMIS), is inspired from the initials Automatic and Real- Time d Etection and MItigation System. This implementation will then enable researchers and operators to test miscellaneous BGP prefix mitigation strategies over real-world testbeds and production networks, and extract results that are relevant to today’s ISP operations such results would be otherwise not possible to produce. The final objective is to have an open-source implementation of ARTEMIS running on top of a popular production-grade Network Operating System. The goal of this project is to implement ARTEMIS as a multi-module application running on top of ONOS, using the prior work and code-base of the SDN-IP project, as well as testing the application over a real BGP testbed such as PEERING. ![]() This fast response time enables legitimate ASes to quickly counter the hijack based on data they observe themselves on the control plane. ![]() ARTEMIS employs real-time monitoring of BGP data (e.g., BGP updates exported by route collectors) and can: (a) detect a prefix hijacking attack within a few seconds, and (b) completely mitigate the hijack within a few minutes (e.g., 2-5 minutes in the initial experiments on the real Internet with the PEERING testbed ). ARTEMIS is a tool for network administrators, that allows them to detect in real-time and automatically mitigate prefix hijacking incidents against prefixes under their administrative control, by employing self-monitoring on the AS level. Prefix hijacking is a common phenomenon in the Internet that often causes routing problems and economic losses. ONF / Foundation for Research and Technology - Hellas (FORTH), Institute of Computer Science, INSPIRE groupįoundation for Research and Technology - Hellas (FORTH), Institute of Computer Science, INSPIRE groupĮngineering Supervisor / Secondary Kotronis
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |